vxlan: fix a use after free in vxlan_encap_bypass

when netif_rx() is done, the netif_rx handled skb maybe be freed,
and should not be used.

Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 2a51e6e48e1ef27c3176f9501fcb9e8ae3594558..faf1bd1f1ecf42b0c4dfd10ba6509bac056d93cc 100644 (file)
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1668,6 +1668,8 @@ static void vxlan_encap_bypass(struct sk_buff *skb, struct vxlan_dev *src_vxlan,
        struct pcpu_sw_netstats *tx_stats, *rx_stats;
        union vxlan_addr loopback;
        union vxlan_addr *remote_ip = &dst_vxlan->default_dst.remote_ip;
+       struct net_device *dev = skb->dev;
+       int len = skb->len;
 
        tx_stats = this_cpu_ptr(src_vxlan->dev->tstats);
        rx_stats = this_cpu_ptr(dst_vxlan->dev->tstats);
@@ -1691,16 +1693,16 @@ static void vxlan_encap_bypass(struct sk_buff *skb, struct vxlan_dev *src_vxlan,
 
        u64_stats_update_begin(&tx_stats->syncp);
        tx_stats->tx_packets++;
-       tx_stats->tx_bytes += skb->len;
+       tx_stats->tx_bytes += len;
        u64_stats_update_end(&tx_stats->syncp);
 
        if (netif_rx(skb) == NET_RX_SUCCESS) {
                u64_stats_update_begin(&rx_stats->syncp);
                rx_stats->rx_packets++;
-               rx_stats->rx_bytes += skb->len;
+               rx_stats->rx_bytes += len;
                u64_stats_update_end(&rx_stats->syncp);
        } else {
-               skb->dev->stats.rx_dropped++;
+               dev->stats.rx_dropped++;
        }
 }